Paul Moore

Paul Moore


Security consultant, researcher & CISO at Icebook.

Share


Twitter


Identity theft & payment fraud? That's ASDA price.

Paul MoorePaul Moore

Back in March 2014, I contacted ASDA to report several security vulnerabilities and despite a fix promised "in the next few weeks", little appears to have changed.

After 677 days and several tweets along a similar vein, my patience has finally run out.

What's the problem?

Two of the simplest and most prevalent exploits allow an attacker to quickly & effectively collect personal information & full payment details.

Rather than outline the finer points of CSRF (Cross Site Request Forgery) & XSS (Cross Site Scripting) for the umpteenth time, it's probably easier to show you.

Have I been affected?

As of Q2 2014, ASDA processed upwards of 200,000 online orders each week. Given the length of time this has been exploitable, that equates to over 19 million transactions.

I'm not aware of any evidence suggesting these exploits are being used in the wild, but just a few months after my initial report, this tweet appeared.

Unfortunately, it's difficult to know if your details have been stolen unless the attacker uses the information very shortly after the breach occurs, such that it's reasonable to assume a link between the two. However, ASDA may be able to shed further light on anyone affected by this, or any other exploit.

How can I protect myself?

The safest way is simply to shop elsewhere.

ASDA/Walmart have had ample opportunity to fix these issues and have failed to do so. If you must continue shopping with ASDA, open a "private" / "incognito" window and do not open any other tabs/windows until you've logged out.

Other issues...

Well, they don't enforce SSL/TLS during login and the entire session is maintained over an insecure protocol.

Another user spotted this too... and tweeted ASDA.

Did they acknowledge the issue & deploy a fix? Not quite.

--

When Sarah tried to apply for a job, she was greeted with this error.

Did they spot their mistake, generate and deploy a new certificate?

No. They go on to recommend Sarah delete her cookies!

Scott tried to apply for a job too.

Surely now they'll fix it, right?

Nope. Now, it's fully secure.

Summary

Despite a speedy response to my first email and a privacy policy which suggests otherwise, ASDA do not appear to be overly concerned about the security of their customers.

I invited ASDA to comment on the situation; requesting more detailed information on who customers should contact if they believe they're affected by any security flaws. I received an "out of office" from their "data protection" email address and haven't heard anything since.

Paul Moore
Author

Paul Moore

Comments